[CRIU] [PATCH 2/3] add a test for SECCOMP_MODE_STRICT

[Tycho Andersen]

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 test/zdtm.sh                           |  2 +
 test/zdtm/.gitignore                   |  1 +
 test/zdtm/live/static/Makefile         |  1 +
 test/zdtm/live/static/seccomp_strict.c | 81 ++++++++++++++++++++++++++++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 test/zdtm/live/static/seccomp_strict.c

diff --git a/test/zdtm.sh b/test/zdtm.sh
index 9d97779..f0d194d 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -151,6 +151,7 @@ generate_test_list()
 		static/dumpable01
 		static/dumpable02
 		static/deleted_dev
+		static/seccomp_strict
 	"
 
 	#
@@ -332,6 +333,7 @@ netns-dev
 sockets00
 cow01
 apparmor
+seccomp_strict
 "
 
 CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 443e108..36f9e75 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -101,6 +101,7 @@
 /live/static/rtc
 /live/static/sched_policy00
 /live/static/sched_prio00
+/live/static/seccomp_strict
 /live/static/selfexe00
 /live/static/sem
 /live/static/session00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index a968bbe..8ea8d82 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -123,6 +123,7 @@ TST_NOFILE	=				\
 		aio00				\
 		fd				\
 		apparmor				\
+		seccomp_strict			\
 #		jobctl00			\
 
 TST_FILE	=				\
diff --git a/test/zdtm/live/static/seccomp_strict.c b/test/zdtm/live/static/seccomp_strict.c
new file mode 100644
index 0000000..8d867fe
--- /dev/null
+++ b/test/zdtm/live/static/seccomp_strict.c
@@ -0,0 +1,81 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/limits.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that SECCOMP_MODE_STRICT is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen at canonical.com>";
+
+int main(int argc, char ** argv)
+{
+	pid_t pid;
+	FILE *f;
+	char buf[PATH_MAX];
+	bool found = false;
+	int ret = 1;
+
+	test_init(argc, argv);
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork");
+		return -1;
+	}
+
+	if (pid == 0) {
+		if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) < 0) {
+			err("prctl failed");
+			return -1;
+		}
+
+		while(1)
+			/* can't sleep() here, seccomp kills us */;
+	}
+
+	test_daemon();
+	test_waitsig();
+
+	sprintf(buf, "/proc/%d/status", pid);
+	f = fopen(buf, "r+");
+	if (!f) {
+		err("fopen failed");
+		goto out;
+	}
+
+	while (NULL != fgets(buf, sizeof(buf), f)) {
+		int mode;
+		char state;
+
+		if (sscanf(buf, "State: %c %*s", &state) == 1 && state != 'R') {
+			fail("resumed but state is not R (%c), seccomp killed the process during resume\n", state);
+			goto out;
+		}
+
+		if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+			continue;
+
+		found = true;
+		if (mode != SECCOMP_MODE_STRICT) {
+			fail("seccomp mode mismatch %d\n", mode);
+			fclose(f);
+			goto out;
+		}
+
+		break;
+	}
+	fclose(f);
+
+	if (!found) {
+		fail("seccomp not found?\n");
+		goto out;
+	}
+
+	ret = 0;
+	pass();
+out:
+	kill(pid, SIGKILL);
+	return ret;
+}
-- 
2.1.4